Loading TOC...

sec:saml-server

sec:saml-server(
   $saml-entity-id as xs:string,
   $saml-attribute-names as xs:string*,
   $saml-privilege-attribute-name as xs:string?,
   [$http-options as element()],
   [$saml-destination as xs:string],
   [$saml-issuer as xs:string],
   [$saml-idp-certificate-authority as xs:string],
   [$saml-sp-certificate as xs:string],
   [$saml-sp-private-key as xs:string]
) as element(sec:saml-server)

Summary

This function configures an SAML server for use by the sec:create-external-security function.

Parameters
$saml-entity-id The SAML entity id.
$saml-attribute-names The SAML attribute names used for attribute query.
$saml-privilege-attribute-name The SAML privilege attribute name used for query.
$http-options The http options. The default value is (). The options node must be in the xdmp:http namespace. This parameter can also include certain option elements (for example, repair, encoding, default-language) in the xdmp:document-load and xdmp:document-get namespaces.

The http options include:

<headers>

A sequence of <name>value</name> pairs. The names can be anything, but many HTTP servers understand HTTP names such as content-type. These are turned into name:value HTTP headers. An error is raised if the child elements of the <headers> option are not of the form <name>value</name>.

<credential-id>

The credential id to use for authentication. This is the preferred way of providing authentication credentials because they are stored securely in the security database. When a credential id is specified, the other authentication information fields should be left empty and will be ignored. For details on obtaining a credential id, see the Usage Notes, below.

<authentication>

The credentials and the authentication method to use for this request. This element can contain the following child elements:
  • username: The username of the user to be authenticated on the http server
  • password: The password for username.
The authentication element can also include an optional method attribute with one of the following values: basic, digest, aws, aws4. If the authentication method is specified and the HTTP server requests a different type of authentication, then an error is raised.

<timeout>

The amount of time, in seconds, to wait until the HTTP connection times out. The default value is the http timeout for the group.

<ciphers>

A standard cipher string. For details on legal ciper strings, see http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS.

<client-cert>

A PEM encoded client certificate for identifying the client to the remote server.

<client-key>

The private key that corresponds to client-cert.

<pass-phrase>

A pass phrase, if one is needed to decrypt client-key.

<allow-sslv3>

A boolean value to specify whether to communicate using the SSL v3 protocol. The default is true, which indicates communication using the SSL v3 protocol.

<allow-tls>

A boolean value to specify whether to communicate using the TLS protocol. The default is true, which indicates communication using the TLS protocol.

<verify-cert>

A boolean value to specify whether the server's certificate should be verified. The default value is true. A value of false should only be specfied after careful consideration of the security risks since it permits communication with servers whose certificates are expired, revoked, or signed by unknown or untrusted authorities. A value of false also removes protection against a man-in-the-middle attack.

<ssl-session-cache>

A boolean value to specify whether ssl session should be cached and reused. The default value is true. A value of false should only be specfied if ssl session cache causes problem with a url.
$saml-destination The URL for the Identity Provider to accept the authentication request.
$saml-issuer The identity of the Service Provider (MarkLogic Server).
$saml-idp-certificate-authority The certificate used to validate the signature in the authentication request.
$saml-sp-certificate The certificate used to sign the authentication request.
$saml-sp-private-key The private key used to sign the authentication request.

Example



  (: execute this against the security database :)
  xquery version "1.0-ml"; 
 
  import module namespace sec = "http://marklogic.com/xdmp/security" 
      at "/MarkLogic/security.xqy";

  sec:saml-server("http://id.example.com/example",
           (),(),
           <sec:http-options xmlns="xdmp:http">
             <authentication method="digest">
                <username>admin</username>
                <password>admin</password>
             </authentication>
           </sec:http-options>)
 
    

Example



  (: execute this against the security database :)
  xquery version "1.0-ml"; 
 
  import module namespace sec = "http://marklogic.com/xdmp/security" 
      at "/MarkLogic/security.xqy";

  sec:saml-server("http://id.example.com/example",
           (),(),
           <sec:http-options xmlns="xdmp:http">
             <authentication method="digest">
                <username>admin</username>
                <password>admin</password>
             </authentication>
           </sec:http-options>,
           "https://kcd2012dc.engrlab.marklogic.com:9031/idp/SSO.saml2",
           "https://engrlab-130-112.engrlab.marklogic.com/sp",
           "https://kcd2012dc.engrlab.marklogic.com/idp",
           "-----BEGIN CERTIFICATE-----
MIIC1DCCAj2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBhjELMAkGA1UEBhMCdXMx
CzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNNYXJrTG9naWMgUGluZyBEZW1vMRIwEAYD
VQQDDAlTYW1sIFRlc3QxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYJKoZIhvcN
AQkBFhNhdHNvaUBtYXJrbG9naWMuY29tMB4XDTE4MDgwMTIzMTAyNVoXDTE5MDgw
MTIzMTAyNVowgYYxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
TWFya0xvZ2ljIFBpbmcgRGVtbzESMBAGA1UEAwwJU2FtbCBUZXN0MRQwEgYDVQQL
DAtFbmdpbmVlcmluZzEiMCAGCSqGSIb3DQEJARYTYXRzb2lAbWFya2xvZ2ljLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtWkpQV132m6hOteZ8EL98pMi
gAFmzpgn1GCwaPkb9U1rAT75kKnxwP9rVeXJ4YRH+JrhntY3uTSz2Z1DhVJdNxXA
cY+ML1qs+yPG2stcZOPTPCqr3cF15TRx0xUj6fZogf47PGpwZLSITgqw/L4AIXL7
YYKperEOe2zvORhV5zcCAwEAAaNQME4wHQYDVR0OBBYEFHHYan5cJn3rj/1bq8/v
z36+0u8WMB8GA1UdIwQYMBaAFHHYan5cJn3rj/1bq8/vz36+0u8WMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQENBQADgYEAgA90Lv5VzABGl7uok8Z6rAiFzVOURkai
Nu7Ds0LBD/z6ZqfsiHwF9wrwO6CWCoRTNmYtPfgY5wf0FTdRFBni6pSkZTuovXgc
7giBZHX1yVglXPpUNF/LsxpKJM9DPUvka5CNxUG0SnN29anVuF8fptCxhG8N+JjI
rIp0ZVJjbtE=
-----END CERTIFICATE-----",
"-----BEGIN PRIVATE KEY----- 
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFsXIdgFSuiImTXuCoAxke45SC
Aqq+diaRgu1rrVMEcJDpRFe4cNAIoVTcVhiZjd5V7WYZ7e/VZPcrMmUmg87YoYIu
rvxUdSnljTD495I8HOWueC8SZIVEM3oO31SCqlVwefFBf6wJNM0zN6FDRBk/satA
Qz9etFi8d8YtxyPFgQIDAQAB 
-----END PRIVATE KEY-----"
)
    

Stack Overflow iconStack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.